{"id":9838,"date":"2026-01-13T10:04:15","date_gmt":"2026-01-13T10:04:15","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/13\/new-angular-vulnerability-enables-an-attacker-to-execute-malicious-payload\/"},"modified":"2026-01-13T10:04:15","modified_gmt":"2026-01-13T10:04:15","slug":"new-angular-vulnerability-enables-an-attacker-to-execute-malicious-payload","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/13\/new-angular-vulnerability-enables-an-attacker-to-execute-malicious-payload\/","title":{"rendered":"New Angular Vulnerability Enables an Attacker to Execute Malicious Payload"},"content":{"rendered":"

New Angular Vulnerability Enables an Attacker to Execute Malicious Payload
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical Cross-Site Scripting (XSS<\/a>) vulnerability has been discovered in Angular\u2019s Template Compiler, affecting multiple versions of both @angular\/compiler and @angular\/core packages.<\/p>\n

Tracked as CVE-2026-22610, this vulnerability allows attackers to bypass Angular\u2019s built-in security protections and execute arbitrary JavaScript code<\/a> within victim browsers.<\/p>\n

The Vulnerability<\/strong><\/h2>\n

The flaw exists in Angular\u2019s <\/a>internal sanitization schema, which fails to properly recognize the\u00a0href\u00a0and\u00a0xlink:href\u00a0attributes of SVG\u00a0<script>\u00a0elements as resource URLs requiring strict validation.<\/p>\n

This oversight enables attackers to inject malicious payloads<\/a> via template bindings, thereby executing unauthorized code in users\u2019 sessions.<\/p>\n

\n\n\n\n\n\n\n\n\n\n
Field<\/th>\nDetails<\/th>\n<\/tr>\n<\/thead>\n
CVE ID<\/strong><\/td>\nCVE-2026-22610<\/td>\n<\/tr>\n
Vulnerability Type<\/strong><\/td>\nCross-Site Scripting (XSS)<\/td>\n<\/tr>\n
CWE<\/strong><\/td>\nCWE-79: Improper Neutralization of Input During Web Page Generation<\/td>\n<\/tr>\n
CVSS v4 Score<\/strong><\/td>\n7.6 (High)<\/td>\n<\/tr>\n
CVSS Vector<\/strong><\/td>\nCVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:A\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

When developers use Angular\u2019s property binding syntax (such as\u00a0[attr.href]=\u201duserInput\u201d), the compiler treats these SVG script<\/a> attributes as standard strings rather than dangerous resource links.<\/p>\n

This misclassification allows malicious data, including\u00a0data: text\/javascript\u00a0URIs or links to external malicious scripts, to bypass security checks. Successful exploitation of this vulnerability can lead to severe consequences.<\/p>\n

Attackers may steal session cookies, localStorage data, or authentication tokens to hijack<\/a> user accounts.<\/p>\n

They could also exfiltrate sensitive information displayed within applications or perform unauthorized actions on behalf of authenticated users.<\/p>\n

The vulnerability carries a CVSS v4 base score of 7.6 (High severity). It requires low attack complexity and relatively low privilege levels to exploit.<\/p>\n

Affected Versions and Fixed Versions<\/strong><\/h2>\n
\n\n\n\n\n\n\n\n\n\n
Angular Package<\/th>\nAffected Versions<\/th>\nFixed \/ Safe Versions<\/th>\n<\/tr>\n<\/thead>\n
@angular\/compiler, @angular\/core<\/td>\n\u2265 21.1.0-next.0 and < 21.1.0-rc.0<\/td>\n21.1.0-rc.0 or later<\/td>\n<\/tr>\n
@angular\/compiler, @angular\/core<\/td>\n\u2265 21.0.0-next.0 and < 21.0.7<\/td>\n21.0.7 or later<\/td>\n<\/tr>\n
@angular\/compiler, @angular\/core<\/td>\n\u2265 20.0.0-next.0 and < 20.3.16<\/td>\n20.3.16 or later<\/td>\n<\/tr>\n
@angular\/compiler, @angular\/core<\/td>\n\u2265 19.0.0-next.0 and < 19.2.18<\/td>\n19.2.18 or later<\/td>\n<\/tr>\n
@angular\/compiler, @angular\/core<\/td>\n\u2264 18.2.14<\/td>\nNo patch available \u2014 upgrade required<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Exploitation requires specific conditions: the target application must use SVG\u00a0<script>\u00a0elements in templates with dynamic property or attribute bindings for\u00a0href\u00a0or\u00a0xlink:href\u00a0attributes, and the bound data must originate from untrusted sources.<\/p>\n

According to GitHub<\/a> advisory, developers should immediately update Angular to patched versions.<\/p>\n

Until patches are applied, avoid using dynamic bindings with SVG script elements and implement strict server-side input validation for any dynamic URL values before they reach templates.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post New Angular Vulnerability Enables an Attacker to Execute Malicious Payload<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

New Angular Vulnerability Enables an Attacker to Execute Malicious Payload A critical Cross-Site Scripting (XSS) vulnerability has been discovered in Angular\u2019s Template Compiler, affecting multiple versions of both @angular\/compiler and @angular\/core packages. Tracked as CVE-2026-22610, this vulnerability allows attackers to bypass Angular\u2019s built-in security protections and execute arbitrary JavaScript code within victim browsers. The Vulnerability […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-9838","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9838"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9838"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9838\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}